Simplified Integration of Amazon S3

Simplified Integration of Amazon S3

The following tutorial describes how to use Amazon S3 as a Cloud Storage for the webQsee Cloud Gallery.
This is the simplified version of the tutorial, suited best for

  • single webQsee users that want to use the Cloud Gallery only for themselves
  • webQsee teams that want want to have only a single pair of credentials in order to connect all members of the team to the Cloud Storage. They will benefit from an easier setup and maintenance of the Cloud Storage integration, but have to accept, that Cloud-Storage user-rights will only be enforced by webQsee, but not by the Cloud Storage itself.
    • You should probably only do this if you are a rather small team and trust all members that they won't just randomly delete stuff on the Cloud Storage that they shouldn't delete. If you don't have full trust in all your team members or just want to be on the safe side, follow the normal S3 integration tutorial instead.


Enforcing User Rights

webQsee honors the privacy of your Cloud Gallery items. The browser extension talks directly to the Cloud Storage without any of our servers in between. User rights of items on the Cloud Storage are on one hand enforced in the browser extension (client-side).
On the other hand, they can be enforced on the Cloud Storage as well (server-side), but this is skipped in this simplified setup tutorial on purpose.

So, in the regular setup, the Cloud Storage would differentiate between normal users and admins.

But since you are, for example, a single user that whats to use the Cloud Gallery just for himself, then there is no need for multiple user groups on the Cloud Storage, as you will be the only person accessing it anyway. So, in return you can benefit from a simpler setup process.

Or if you are a webQsee team but want to use only a single pair of Cloud Storage Credentials in order to keep things simple, there is also no need for multiple user groups on the Cloud Storage, as there will be only a single Cloud Storage user that is used by all members of your webQsee team.
This has the side-effect that the Cloud Storage won't be able to differentiate between normal members of your team and admins.
So, if a member of your team would access the API of the Cloud Storage manually, you could not prevent him from deleting anything that webQsee stored there.
So, if you are indeed a team of multiple users, you should follow the normal setup instead if you do not fully trust all of your team members or if you just want that every members gets its own credentials for the Cloud Storage (so they can be invalidated if and when the user leaves the webQsee team).

Getting Started

If you are already using Amazon S3 with a webQsee Cloud Gallery and would like to set up an additional Cloud Gallery for another webQsee team, using the existing S3 Settings, then there are also separate tutorials for that.

In this tutorial we assume that you do not yet have an Amazon AWS account, so we show you how to get started with a free one. You can skip these steps if you already have an AWS account that is ready for an additional S3 bucket.

Create a free Amazon AWS account

Navigate to https://aws.amazon.com/free and create an account. Please note that the free accounts only stay free under certain conditions. If you exceed certain usage limits, you will have to pay for your AWS account. Those limits are documented on Amazon's AWS website.

After selecting the support plan (preferably the free one if you are new to AWS), click the button "Sign in to the Console" or use the link https://console.aws.amazon.com/console/home

Sign in to the AWS Console

Sign in at https://console.aws.amazon.com/console/home as "Root user" using the credentials of your new AWS account.
If you already had an existing AWS account, sign in with an account that has sufficient rights for managing S3 storages and users.
Verify, that that you have been logged in correctly and that you have access to the AWS Management Console.

Setting up a single user group and policy

Soon we will create an Amazon S3 Bucket to be used as a storage for the raw data of the webQsee Cloud Gallery.
But first, we will create a single user group that basically just grants all rights for the S3 Bucket to your Cloud Storage user (that we will create as well).

Open the IAM management page: https://console.aws.amazon.com/iam/home

Then navigate to "Policies" and click "Create policy".

Creating the Policy that grants all rights on the Bucket

Change from "Visual editor" to "JSON" and replace the code you see there by the following JSON:

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::webqsee/webqsee/*/items-root/shared/*",
"arn:aws:s3:::webqsee/webqsee/*/items-root/protected/*",
"arn:aws:s3:::webqsee/webqsee/*/items-root/private/*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::webqsee"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"webqsee/*/items-root/",
"webqsee/*/items-root/*"
]
}
},
"Effect": "Allow"
}
]
}

Please note that in in all occurrences of arn:aws:s3:::webqsee the "webqsee" will be the name of the S3 bucket that we are going to create as well.
If you are using an AWS account that already contains a bucket named "webqsee" and you would like to create a different bucket for this tutorial, then change all occurrences of arn:aws:s3:::webqsee to arn:aws:s3:::custombucketname

When you have pasted the JSON into the editor, continue by clicking "Review policy". As policy name insert webqsee-admin

(In case you are using an AWS account that already has a policy with this name, define an alternative name for the policy.)

Click "Create policy" after entering the policy name. You should see a success message, telling you that the policy has been created.

Creating a single User Group

In the IAM Console, open "Groups", then click "Create New Group".

When asked to set a group name, enter webqsee-admin and click "Next Step" afterwards.

(If you are using an AWS account that already has a group of this name, choose an alternative name.)

In the next step, called "Attach Policy", search for the Admin-Policy you created before and check it. Then click "Next Step".

Review the changes, then click "Create Group".

After creating the group, you should see the newly created groups in the overview table of the groups page.

Creating a single User

We will create a single Cloud Storage User. You will later use the credentials of this user to connect your webQsee browser extension to the Cloud Storage. If you have a team consisting of multiple webQsee users, then all users will use the same credentials of the single Cloud Storage User.

First, navigate to the "Users" overview page of the IAM console and click "Add user":

Set an appropriate user name. In this example we use webqsee-admin-user, but you could also choose a different name.
Make sure to enable the checkbox for programmatic access! Click the "Next" button after setting a name and enabling the checkbox.

In the next step, search for the admin group you created previously and check this group.

After checking the appropriate group, click the "Next" button.
On the next page ("Add tags") there is nothing to do. You can skip this page and click "Next" again.
On the final page, review the changes and click "Create user" afterwards.

In the final screen, that confirms the creation of the user, it is important that you copy the Access key ID and the Secret access key and store it somewhere safe. You will need these credentials later to sign into the Cloud Storage in the webQsee browser extension.

Click the "Close" button after you copied the Access key ID and the Secret access key and stored them in a secure location.

Now that we have set up users and rights, we can finally create the new S3 bucket.

Open the S3 Console located under https://s3.console.aws.amazon.com/s3/home and click the "Create bucket" button there.

In the general configuration of the bucket, set the bucket name to the name used in the policy earlier. If you did not change the bucket name in the policy, then it should be webqsee

In the region setting you choose a region that works best for you or just keep the preselected region.
Write down the hyphen-separated last part of the region name somewhere, you will need it later! In our example it would be eu-central-1

Enable the checkbox for blocking all public access:

Set Bucket Versioning to disabled, skip adding tags, skip advanced settings and if you want to use server-side encryption to increase the security of the data in your bucket, you can enable it. If you enable server-side encryption, choose the key type "Amazon S3 key". This is the most simple variant and requires no additional setup steps. This is also the only variant that has been tested in combination with webQsee.

Click the button "Create bucket" after you are finished with entering the settings as described. You should then see a success message.

Now click on the name of the new bucket in order to open its details page. There click on the tab "Permissions".

Scroll down the permissions-page until you reach the point Cross-origin resource sharing (CORS).
There you click "Edit" and then paste the following code (replacing any existing code):

[
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"PUT",
"POST",
"GET",
"DELETE",
"HEAD"
],
"AllowedOrigins": [
"*"
],
"ExposeHeaders": [
"ETag"
],
"MaxAgeSeconds": 3600
}
]

Click "Save changes" after you pasted these settings.

You should see a success message after saving the CORS settings.

We are now done preparing the Cloud Storage and can connect it to our webQsee Cloud Gallery.

Open the webQsee Gallery and switch to the tab "Cloud Gallery". Then click "Edit Settings".

In the configuration window, you need to provide the following team-wide settings:

  1. The Storage Type, choose S3 compatible storarge, KEY-Auth (there is only one available at the moment anyway)
  2. The name of the bucket that you created in this tutorial, should be webqsee unless you gave it a different name
  3. The connections settings, that in case of original Amazon S3 should not need more information than the region of the bucket.
    During the bucket setup, you should have noted down the bucket region, if not take a look at the bucket overview page. In our case the bucket region is eu-central-1
{
"region": "eu-central-1"
}

The team-wide settings only need to be provided once and will be shared automatically with all members of the webQsee team.

Then you need to provide the following personal settings:

  1. Access Key Id: The access key id you noted down previously for the AWS IAM user that you created in this tutorial.
  2. Secret Access Key: The secret access key you noted down previously for the AWS IAM user that you created in this tutorial.

If you have a team with multiple webQsee users, then they need to use the same "Access Key Id" and "Secret Access Key" when accessing your team's Cloud Gallery. So you need to send these credentials to your other team members, for example via email.

After entering all required settings, click the "Save" button.

After saving, you should see a success message in the top right corner of the page and the warning, that the storage configuration is incomplete, should be gone.

Congratulations! Cloud Storage setup is now complete! You can switch to the Local Gallery and upload items to the Cloud Gallery, using your brand-new storage.

Feel free to contact us if you have any troubles setting up the cloud storage.